Analysis
-
max time kernel
94s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 15:59
Behavioral task
behavioral1
Sample
2024091768d6f593506c81b48a05363139063540cobaltstrikecobaltstrikepoetratsnatch.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024091768d6f593506c81b48a05363139063540cobaltstrikecobaltstrikepoetratsnatch.exe
Resource
win10v2004-20240802-en
General
-
Target
2024091768d6f593506c81b48a05363139063540cobaltstrikecobaltstrikepoetratsnatch.exe
-
Size
5.0MB
-
MD5
68d6f593506c81b48a05363139063540
-
SHA1
8c86e47a672d00eaf5d9967f23156b19bca7d510
-
SHA256
24fdf5cb3d32d3ecedf3c0a1164d31b5134703e0526d690e5b7e6d64258ce1ae
-
SHA512
f8aa59a3d4e5bc97d81cb77f828e0f93f677456f8d7f7b706ff635a6fad7fb444c9689e82f24f1c32a3fa52b375b9a832a72f5bb70cd28e786f65967d9b90a0d
-
SSDEEP
49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6liK1uOCeXvpnZ:r56utgpPFotBER/mQ32lUT
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024091768d6f593506c81b48a05363139063540cobaltstrikecobaltstrikepoetratsnatch.exe
Processes
Network
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request1.181.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
DNSs3.us-east-2.amazonaws.com2024091768d6f593506c81b48a05363139063540cobaltstrikecobaltstrikepoetratsnatch.exeRemote address:8.8.8.8:53Requests3.us-east-2.amazonaws.comIN AResponses3.us-east-2.amazonaws.comIN A52.219.110.169s3.us-east-2.amazonaws.comIN A52.219.102.41s3.us-east-2.amazonaws.comIN A52.219.233.161s3.us-east-2.amazonaws.comIN A52.219.177.169s3.us-east-2.amazonaws.comIN A52.219.92.121s3.us-east-2.amazonaws.comIN A52.219.104.122s3.us-east-2.amazonaws.comIN A16.12.66.97s3.us-east-2.amazonaws.comIN A52.219.105.25
-
Remote address:8.8.8.8:53Request169.110.219.52.in-addr.arpaIN PTRResponse169.110.219.52.in-addr.arpaIN PTRs3 us-east-2 amazonawscom
-
Remote address:8.8.8.8:53Request61.39.156.108.in-addr.arpaIN PTRResponse61.39.156.108.in-addr.arpaIN PTRserver-108-156-39-61lhr50r cloudfrontnet
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request233.143.123.92.in-addr.arpaIN PTRResponse233.143.123.92.in-addr.arpaIN PTRa92-123-143-233deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
52.219.110.169:443s3.us-east-2.amazonaws.comtls2024091768d6f593506c81b48a05363139063540cobaltstrikecobaltstrikepoetratsnatch.exe1.2kB 7.5kB 16 19
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
1.181.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
8.8.8.8:53s3.us-east-2.amazonaws.comdns2024091768d6f593506c81b48a05363139063540cobaltstrikecobaltstrikepoetratsnatch.exe72 B 200 B 1 1
DNS Request
s3.us-east-2.amazonaws.com
DNS Response
52.219.110.16952.219.102.4152.219.233.16152.219.177.16952.219.92.12152.219.104.12216.12.66.9752.219.105.25
-
73 B 113 B 1 1
DNS Request
169.110.219.52.in-addr.arpa
-
72 B 129 B 1 1
DNS Request
61.39.156.108.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
233.143.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa